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si.) Kval Partj In Interest 

fuc 'eal paU> ra no.-rest n the ahne appitorjlior. k Mi^u ><cou>rU be 
Hi,) HeJufvti Appi-ah and Initrfcrvnci'S 

Ire s.opo:i<irsi ^ r-v\ ,uwik oi am, appe.Js ot interferences sclcce; H> the aho\ e-see?mf or 
patent application. 

Status of Claims 

This is an appeal from * ie dousi, n o| me 'imu^ <• » > on i e r an O^kc \« t t ; <e\ ' 

April 18. 2006,ie]eehnadai?m niteedmn-n It .pflua? or < \\i j ^a,,t„ 

subject of this appeal. 

(iv.) Siaius of Amendments 

Appellant tiled a Reply to the Final Office Action amending claims 1 and 16 to correct 
the informalities pointed out by the examiner and incorporate a portion of the preamble into the 

In an advisory action dated July 20, 2006, the examiner did not enter the amendment 
indicating that amendments to claims 1 and 1 6 required further consideration and or seaeh. 
Accordingly, the claims on appeal are those that existed prior to the final action. Appellant filed 
a Notice oi Appeal on October 19, 2006. 

(v.) Summary of" Claimed Subject Matter 

Claim 1 

One aspect of Appellant's invention is set out in claim I as a gateway deviee disposed 
between a data center ami a network for thwarting denial of service attacks on the data center, the 
gateway device comprises a computing device. "'The arrangement 10 to protect the victim 
includes a control center 24 that communicates with and controls gateways 26 and data collectors 
2S disposed in the network 14. The arrangement protects against DoS attacks via intelligent 
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i;a:hc anak^s ard fiitcnng thai is do>uvMit(.d thn>u»hom i;k- ' t enu<rk/' | Appcikmf.s 
spooihcalior Pu;c > arc r 22 j, 

iP-scr-u l;ojI;I!os o:V..!,!;! • .ucksdo a -.neiiJtor ir.£ pi^cc-s thai ii'ouuo;- ;\uwoil iJvdYie 
ih'.^itih the ju-o^av " Use L-ate\va\ ~>o include- a mnnjtopjho process ^ fj b 5 f»B) thai uvuuois 
M.-fTic :raL oo^o,- 'bunt"!-- iho eaieuav " , Appellant's s^cslkatvu Pjsv ~, mie-' - lOj 

ki\ c:nv c loathe- ofeiau-p 1 aUo include a conirmakjtiv-ir, pi-ce:s thai -axnmumciilos 
-.lathes cd.oereo; \a \ io i:au,u t i> from tin. nvinuonnsi irooos ^uh a control ccro.e. arul dun 
exwacs qocfK- os .sisffa^tsors fkuv iho cunroi, eenter " as \\< II as a eommu'iKau^i pi.'u^^ 
^ ilrc ^ji c- i:>;s\r;i:c.;tc si'iti-nos wikvied in dse smIvv a\ ?o ftiH iho dai \ eonki J • " 
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yatcu.n j*> e:r. iiviudc oivco-v-! m jllvv <us admirr. Orator to snseU hhe:^ to Phcr out. \ e 
ds-oard paokot^ shit dcMec deem- i.-> be p.irt of ah atiack, ,h de!errrji:ed b\ heurjMie* 
u'e-erbed heh'\\ " ; VppoILmt's speeiikaUon Page "\ hues 
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i ^ ui^aivsTh, 1 J' m Ik ,o vtnLl vn s do -Vv.tO.sv 

M. >jj Vu odor\ N0J.iP< rn c ■> <. \ X - coo rf on > i 
^[\ > o ik »j dorv' As upoo (1 s hal pit >n j * i <\ i <_ 
p M.a<.tK su^ ^ P>lnvJ». S ,w^k>> 
p..T. ! ns „ J c vonuui ha** tor iu h i! ,> , ,k tx^h 
t ! Noil )i>,n„ < ik he ^ tr«v <.»t o n ^ jj\ ^hLl s ti < 

1 K>..' (..O^li Ifl^lA vkllU !l d p'^ i 0 IKLM- 

225 U.S.P.Q. at 258. 

Kv " r " x ' " 1 1 (.!>«>• J \t, pMKi,VJi-(. Uv( !<-a '.mo. ono 
"jo's i„ i\ Ji^ ^ ~ <>< 1 1 id. .ru ^ Mil v. i, tMt^c^tciii ■> u ^ sk r oddovi.e 

>'UK p l^d 'f ' )J ». ) !• , dfl k'KMv.L k <. <.> vN ah l-v „ ^ TIL' .s ,>{ < lojr, v. li •■ CiifKV 

< Uuns ml not iiniicip.vkd In "\ *n:tlkar 

^ vsoMi ^.ppoa. <miK ,i ^ i in s s « >,wUo, t.n 

M K v « ^ i v C| <L-CLl^ Pi.il s <>roi i O <J t ii ^ 

i oj '^')0v »c l >* .\ \ u llv'u Jisv^eJ .li I \ ... sto* , id 'vtvvor.. :< N r 
\vt< UA" ^ ^' v it ,ck , !' <. da !^us\j Il.iUc'^ !r< 1 d , npt\r. v 

wvu N i k K,t Jv . k-v',U > k t , u ul ipilij JtMul 'K!.0S...a 

IU1' ii^M l"' .0^ lH .or. !t )tk }fL S'ltH- 1U U ilJvliuv'V^.IHI 

*> ■>'!-.» f*' j.omo .oil., and hjUuchowMCi ^ trs^ULt i^ i> 1 1 ho 

nU>i ^ \v. if v , ii.^T > s . n n >oti UJ + t v\i f <.h%t>'k lvs*i 't 'n .t p.^kerNC'v 
v o i f t \< - dv<. «^ , ik pj>i \ <v tl t j t) ^k ' 
The examiner contends thai; 
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<s ,nii!k«: ijisokrtt.", s«jti.«Aj iU wev ih\{>'js«l hef.voen d (faia ctt-tv juiij a 
v>i><!> so) 'Imjitmg (Rt)!,!} of ^t(s.ct> a«t.ick\ <ir. 5 hi ti^is: (.oiiut. tht ,>.i!«a» 

ii.e» vol.-. linev 4^ 4S: 



a communication process that cofiinmnicatc statistics collected ieoU, lines +-5 
and and eoi.i. Sines 2Jf-45; statistics horn the monitoring process is inherently 

"atherxti data of simiJariiies or differences used tor analysts purposes to determine 
the attacks and kind «rf traffic o« the gateway .j in the gateway from the moniloring 
process nith a contra! center and that receives tjueries or instructions front the 
control center: jcoU. fines 25-20 and e«i. II, Sines 51-55S and 

a filtering process to insert filters on network devices {coU, iiti«s 46-55 and col. 
i.l, lines' So~<>2j to filter out packets that the gateway deems to be pari of an attack. 
ict«.2f), siots 2i.S-2f j {r.tnphasis in original omitted! : 

Yavatkar tails to describe or suggest a communication process that communicates 
statistics collected in the gateway by the monitoring process to a control center and that receives 
queries or instructions from the eomroi center. The examiner contends that Yavatkar discloses 
this feature at Col 2, lines 4-5. Rattier, Appellant contends that Vavatkar discloses: "A sniffer is 
a device which may record network statistics at. a node."" Similarly, Yavatkar discloses: 
"Worksheets 234-38 may perform tasks such as monitoring port statistics, CPU utilization, or 
reachability to other nodes.""* 

Net* her of these teachings describes or suggests the claimed feature of: "a communication 
process that communicates statistics collected in the gateway by the. monitoring process to a 
control center and that receives queries or instructions from the control center. 0 

"Flic examiner also argues that: "statistics from the monitoring process is {sic} inherently 
gathered data of similarities or di /Terences used tor analysis purposes to determine the attacks 
and kind of traffic on the gateway," 4 Appellant again disagrees. With respect to the "sniffer" 
device Yavatkar leaches that the sniffer is a prior art technique that is slow and inaccurate. 
According to yavatkar: 



f/ur example, to determine She node «vhich h the soarce of attack traffic, (or fat 

gateway allowing such traffic into a neosurk. which in such a case mav he 
considered :s source) and the path or paths taken !n such traffic., a hamaa operator 
may t.-itch fsnk a node receiving such traffic. »nti anaty/.e the. in«wtin« 

traffic asitii> a sniffer. A sniffer is a device which may record sie-wmk statistics at a 
siode. Viie operator mav identify which of tfte physic;;! finks attached io the node is 
fccfivin-; » certain type or amount of traffic arid then move to the node on !h>; other 
end of the identified fink. The path or paths of traffic, from the source of the traffic 
mac lie found by ira versing tin: network from node to node, using the sniffer at each 
tsode ii! a path, itntii the soarce is reached. 



\rpiK. a X^ssn U? n - \ tonni ii • >.M' Wnr.'^lKLi . Vi chapel 

W 'i> . it ^ .>)k j.ihe: the ihsjoscd smfil" "'coords network siakst e^ at a node ' 
inccis ;hc v. eir.o-l H a:nre of" statistic,; collected in the ^ttew o.\ rr-Mn the inornaunk> piote^- - 

if is v:i.uic dear tha* \ awitkai ekaih discloses that ■{ the operator Mui max uk-i-idx xxtuds 
pn>MO< 1 hrsk vueivad u- -he ueuk recvU'ed a ceiiara t\pe or aifioiaa nj ■ untie a id then jk<i\ i.. 
tlk node ois t io oihe; end oi the Lnk llowexcr. this does nor u\uh the leaUnes of a >u.«iitoitni; 
pieces^ kiat nuativ^- netwoil ti.dTie tliroitiih the L\uex%a> and a commumeati^a piwes^ tku 
conmjuia^aks sumacs collected ni the gateway b\ the 'lionivnuif process to a ^<iri;e; cente* 
md thai rcccnes queue* o- instructions rum the eom-o : cemeu 

kvikvu, Yaxatkai ako docs not teach the clamed e- livurunaeapoii ptwes^ h\ sue 
disclosed ""A ork^htvts I ' \ .ukai discloses work ^heeK as part of an :ueut '. i 0. 

hi an txeinpLn. < mR^tJunont .i}<oni 110 iikIskSvi f<xi,- si-ant^nt 220. which >- 
n-««.ii\etf H sTK>iho<>'- v>fi)c!i ,ne membt ! -, <>! ,ij;tiit Ui» asui « iiK.ii jmnitf. 

\um UopaUu $« ajivnt S M; st.ue 2i(>. (. <«ii, se^nu-nt 22«> iHc!«<ir» pi k object 
2^2 ;iui\Kii;V4 liuutifcufrt* M ! Ml Stiiti 2H' iniimiev>*«jksh>>et\ 2^-4. 2>«ii«ii 

l-<s; >v«kfth!»i K2 fisa> u^- i>mkiiiocti 2^4-^8 t'i \>r<;\ul? fntictiotuiifv h- ,s;iuit 
Hi- ^«}i»s3i»,is?*4^S,iu utemiuis <■! .t-jCK) i JO «hicfi m.n in ia^a'm >hk. 

'i'iis.itkii 1 ' Ji-eo ui\ diseh'se a-a\ loature ui the eontnS confer vMt'i \b*.-\- 'ju^km^ 
\*.-jeu\ c:. jiso Vasatkar .!jooiu->os a "^rdier" .is an e^cnoai ot the prior art \s h!«.h lie 
°tr,>it,-!\ en!-ei,es. a;-d 'ij^ei^^s orko-ieeis"' pan i>\ the -fate of the dis^l-^od ,u;lu1s 1 h 1 :i 
eafifi.n ik>t i>-lh-\>, that the evans-tier h'-o inade out a oa*e ot pj in; a Sae;o antieinat'ou, since thosv , 
■10 distit^ute a "'s a\. :kar that as\-s the combined t\»iciK>:ta:ti> of Uie sti'.tfe" 'he xv-'srksli-.eio 
rbereio-e, aNvjinr,;; <?/ ;in »S" iluit senehow tiie^c uxo pao-sj^cs did teaeh the clanv.i fc.-iure, 
the >.>.aina\er °t;ll h is itor jiKwIe out a rnnia iacie ;ut!^;p itioi! eaic, siiiec- ihe.-e feakiiv-. asc 
.'o-ek»aed as diseonf-eo-ed a; d trxvinpiiUhk- uvnl indeed one leaiuic is amc, t.-d b, ^ ^ atkar, 
lhercfou\ ) re> aik.ir could n«»i meet the kst i<> CMaOhoii arueipativu ai- set iorih b> the t edeiaS 
i ireint " Xutioipa-jou rcqu•te^ tuv p?esc.fke m a singk pn-«r an disjos^ie of all cle'iunts of a 
clairied i;nert\> - - o-^ed is hi the Jatnt " C<>m>J ! i- v an RoJ^J, .a ('<- ^0 t VP Q 
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Yavatkar also discloses agents, "mobile software modules" to collect data on die state of 
a network during a network attack. However, Yavatkar also discloses thai an agent manages 
devices via sen-ices provided on a proxy device to monitor or control managed devices. 6 
Yavatkar says nothing that could suggest a communication process that communicate statistics 
collected in the gateway from the monitoring process with a control center and that receives 
queries or instruction}, horn the control center. Yavatkar'' s disclosed agents do not communicate 
statistics collected in the gateway or receives queries from a control center. Neither the agent 
nor the snifter receives queries. from a communication process running on a gateway. 

Claim I also requires a filtering process to insert filters on network devices to filter out 
packets thai the gateway or the control center deems to be pari of an attack. 

Yavatkar however teaches to either shut down the gateway or to insert filters with the 
conventional sniffer. " However, hi Yavatkar, that decision is performed by an administrator 
using a sniffer that determines a physical link or certain modules under direction of a central 
console* not as in claim i where a computing device includes a filtering process the filter 
removes packets that the gateway deems to he part of tine attack. Yavatkar also discloses that 
with such: information a .network administrator moves from node to node, tracing the path of the 
hostile messages from the victim to the source or to the gateway allowing such traffic to enter the 
network. Yavatkar acknowledges that such a method of determining the source of messages is 
slow. Yavatkar proposes to address this by use of watchdog and bloodhound agents. 1 ' Therefore, 
Yavatkar tails to teach the "'gateway device comprises. ., a filtering process to insert filters on 
network devices to filter out packets that the gateway deems to be part of an attack .'' 

Appellant contends '.herefore that Yavatkar must fail as an anticipating reference because 
Yavatkar fails to describe that the gateway includes a computing device, disposed between a data 
center and a network with the computing device executing a monitoring process ... a 
communication process and a filtering process, as claimed. The examiner's anticipation 
rejection is a concoction of unrelated elements from Yavatkar that existed in three separate 

0 Sec Yavatkar col. ! 3 , Hnes 46-55. 

' Yavatkar Cot S3, lines 54-58 

" Yavatkar Col. 13. line. 6:? m Cot 14, 2 

v Yavatkar discussion starting at Col, 14, line 18 



nK h s.d n ^ i< - si i » o u, vl - <lv- not constitute an anticipation reference since 
although assigning arguendo that these mechanisms have some individual relevance to the 
claimed features, they are not described as existing together 'Thus, Yavatkar cannot describe the 
claimed gateway, since there is no device or structure m Yavatkar that possesses all of the 
features oi the claimed gateway. Thus, assuming that the examiner is correct thai elements from 
claim I are found in the reference, it is patently clear that those elements are not arranged in the 
reference m a manner as they are arranged in the claim. 

For example, the monitoring process the examiner finds 50 in col, 1 } lines and col,?, lines 
43-48. However, this is a discussion of the poor art that Yavatkar criticizes and is not described 
as: being included in any device described by Yavatkar, whereas, col. 7, line* 43-48 pertain to 
discussion uFn gateway. Specifically Yavatkar discloses that: ''Node 48 is a gateway, providing 
network A access to other networks, such as the Internet, and acting as a firewall. Link 84 
transmits data between node 48 and other networks " u However, that gateway is not described 
as performing any of the claimed, fimctions. 

For the communication process the examiner relies ^ on eoi.2, lines 4-5, which k a 
discussion of a prior art "'sniffer." and 53-60, which is a discussion of his inventive concept, 
which does not indicate any use for the "snifter." Similarly en). 3, lines 28-45 is a discussion of 
two different mobile agenis thai collect data on the state oi'thc network. 

For the filtering process to insert filters on network devices the examiner relies 5 "' on col .3, 
lines 46-53 discussion of watchdog and bloodhound agents and col. 1 3, lines 56-62 discussion of 
a gateway that can be shut down or have filters installed. While Yavatkar does mention a prior 
art method, namely: 

timvtver, current methods til identify the gateway vhich is, i» ti'fs-v'f, ih-. : 
source «f attack traffic jo the network can he difficult and time cwsutaias;. A 
Rtiwwk administrator ttsing a sniffer may- determine which physical itnk (of 
maitipie links) on u device rccervins attack traffic, is the source of such n alfie, 
Ctriasn mttdak-s rwirfein n» nocfi-s may perform siftstiiir [unction* under the 
direction of a centra* console. With such information & network administrator ma> 
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move irom in.uk- i<> muh; i racing the path :<f (he hostile mt-ssages from she victim to 
the «>i»m\ or t<; tfse gateway sll-ming such traffic t<> enter »ta<? network. Such a 
method of determining the source of messages is slw /'' 

Yavatkar teaches- away from any combination of a "sniffer" device arguing that it is a 
conventional method and is slow. 

The i cachings thai the examiner relics on in Yavatkar are to elements that area on 
duferent devices. The devices perform somewhat simslar. but not identical function:*, as the 
claimed gateway. However, the claimed gateway is a computing device ihat performs all ol the 
functions recited. Yavatkar docs not show any device that per forms all of the recited functions 
and indeed given the rejection as concocted by the examiner, it would be inconsistent with 
Yavatkar to have a single device perform all of the claimed functions. 

Therefore, Yuvatkar is not an anticipating reference since Yavatkar fails to describe all o 
■be claimed features and fails to describe a device that possesses ail of the clamed features 
arranged as in the claim. 

The examiner also argues that Yavatkar inherently communicates statistics eolleeoe >r 
the gateway to control center. '\ . . statistics from the monitoring process is inherently gathejed 
data oi>iroilarities or differences used for analysis purpose* to determine the attacks and K\id o{ 
traffic on the gateway." Appellant contends ihat no reasonable reading of Yavatkar can e t.M'u 
the reference us inherently collecting statistics to analyze network traffic to determine wlviht i 
gateway is under attack. 

Claims i>) and. .$0 

For the purposes of this appeal only, claims 29 and 30 stand or fall together. Claim 29 is 
representative of this group of claims. 

Claim 29 is directed to a computer program product . . , for protecting a victim site during 
a denial of service attack. Claim 29 includes instructions . . . to monitor network traffic sent to 
the vietim site and measure heuristics of the network traffic to provide statistics on the network 
f\* 'a, tomi,\si v ,\' ■> . t's'Ko LoJeaed in the i omputer device to ^-viol certV* as\. '1 te: <<i * 
packets that the device or control center deems to he part of an attack. 
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Yavatkar neither describes nor suggests these features of claim 29 for analogous reasons 
as those given in the Appellant's arguments for claim 1 . Vavatkar tails to describe or suggest 
instructions to communicate statistics collected in the computer device to a control center. The 
examiner contends that Yavatkur disclose this feature Appellant disagrees. Rather Yavatkar 
discloses: *A sniffer is a device which may record network statistics at a node."' 15 Similarly. 
Yavaikar disc lost--: "Worksheets 234-3 S may perform tasks such as monitoring port statistics, 
CPU utilization, or reachability to other nodes." 56 

Neither -of these teachings describes or suggests the claimed feature of: "a communication 
process that communicates statistics collected in the gateway by the monitoring process to a 
control center." 

The examiner also argues that: "statistics iron: the monitoring process is (sic) inherent! v 
gathered data of Similarities or differences used for analysis purposes to determine the attacks 
and kind of traffic on the gateway."' '' Applicant disagrees Ibr the reasons discussed for claim I . 
While it is arguable whether the disclosed sniffer "records network statistics at a node" .meets the 
claimed feature of '\ . .statistics collected in the gateway from, the monitoring process, . . it is 
quite clear that Yavatkar does not describe: 'instructions to communicate statistics collected in 
the computer device to a control center." 

Yavatkar does not disclose any feature of the control center with the Worksheet teachings 
discussed above. Moreover, because Yavatkar discloses a "snifter" as an element of the prior 
art, which he strongly criticizes, and discloses "Worksheets" as par) of the state of the disclosed 
agents ! 1 0, it cannot follow that the examiner has made out a case of prima facie anticipation, 
since there is no disclosure in Yavatkar that uses the combined functionality of the sniffer and 
die worksheets. Therefore, assuming arguendo that, somehow these uvo passages d-d teach the 
claimed feature, the examiner still has not made out a prima facie anticipation case, since these 
features being disclosed as disconnected and incompatible and indeed one being criticized by 
Yavatkar could not meet the test to establish anticipation, as set forth by the Federal Circuit: 
Va mat. k ,vOA !vOh presence in a single prior art disclosure of all elements of a claimed 
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n.\umor arra^ied m die clam) " ,V 4< "-.< ii'»t>f.» a'.i-.^CV.S.?^ 1°\ l'>\ 

(Fed. Cir, 19835. 

S u\.t'.Lr .,Ko .^scl-'sc.s ;tLV:ii-. "mobile svftvtdie UK-daks" l<> .<dk-a dau os die staV -d 
i ik-iwod cuan^ a nctwoik au.ji k ik>\\oct. 1 i i\ fiH.ar also disx'lf.ses u<*t -o; ayeni man.ij?o 
do\ jlcs % „.i \v.> iuv" ukd on a prow dc\ ice 10 mo^to; <v *.onnel w\inai>ixl d-..-s k\v 
^ .mnLu suVk- de^enb.^ :h>; sy^e-^ -n^rufiuT.s r.> oo unm-tk ait. stat^t\ s eoikv.ed tUv. 
,'oniptisis.i. dov to h oomsv center \ awukat \- dwvio^ed .u-em? do r.oi cotor^-Hea-te t>: c 
iUUol:^ and .r p.irhc-jkr; do i;n* oimaimincak Mil- siatis'fto. \> a control comes 

*. Luri P ; a ho rttsuuos inMiucfiun* to n ! Ut ! his icauye also dis^nsir.^hes io. j.-alo^ous 
lesson- ;k ir.oso e^co in YnpeHantV ailment tot claim I 

\pjxlk-;:; coutcr.eo ihcrefus.' shut Yasad>.ar km\ as m ar.: jupatiPfc rc\c\j;^c h-xausa 
'"i naikai hd> !o dosenhe ttic composer ^roijrarn product, oo ehuried IK: i-vmnjierV 
ordupaFvi; io;A!h':; ts .1 „o ; K>>ct:or oj'utiK'latcd ek-mem.-. horn \ asatk'c; ;hat esoc.cd w lhx.c 
sen mite u>a\ i.i:<.d mtxra;\srnv However, diK dues rot uoamme ar. anticipator^ rdcienee 
.since -ihrouid; ur^an'..' ;he^e mcea.mKrrss ma\ haw ^on-e mdis idiuU fok^aree m tbo <. lamped 
k\ kites. :hv\ do ;u't v\ iakcr. \>; ether de-vnfx the ciaiuscd a»n!|nitt."- p<oi>ran pu>duct. s:;^-o 
there i^ Utah's kvv>- .vriictuii. o- uornputc. pio^ani pnxujui s.n Va\iitlai tiat p<^s^s^ ah ^; the 
fdaf.a of -J;c c:^isr,cd o.inipuUT prourum pu'ducn I 'isis. aso-unMtii tha: the uci ^ >.oiux i 
ih.v ckmcw.s hvis. c am. ; ax {i>und in t'le ufcrciice, u ^ patently dear Uuu MtOM> cic-iu-jt'- ;i T c 
.u>t <irK'ni.vd ;i'c £Cj>cr;cc mi a mansior as ihc\ aic arra n»od ki Mk dutm 

ILc C\ a.^tjx-f also ajpio dial '1 a\utkai :nheu.T.d> Lomru-rsss-akv ^Uttis-.K^ -^oUcuiod ir- 
tbi- : ;jto«a\ tt> Ci-'t^.'i ccia.-{ " -n<a M! C ^ fu>jn die i-.u-uitori:^ p^oee^s t ^ iriiuscnt^ v al JC! ^ 
d<tla ot sund.Kifcs ,ii .!-; ! c;xciccM:.scd In; an.tls ->is punx^;.> to dciernm.c t'icarae\s itulland '••I 
CatViO on Uie <a.aev t .\ 1 \pp<JU-tt e<tnt..*nds tha? m> te.Hontihk' fe.id'ns: o:' 1 '«\. Uajs c.i'j eonslrjc 
iac {oicseisuo a-. mivre'iH), cuikvlmg Mut.stic^ to .ai.il^/e nei^u>:k rafiv t^- dekuns^o \%he!d-.T i 
gaK-w.o is tsndo! aUack. 
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{ k o > : ^< loss annul on K . «. Liims 2 aj d ~ m md or tui 1 k^edk- Claim 2 is 
'"cpivscijUin l s - ;hi\ lifoio o- Jtami-; 

1 Mann ? nnrina iipitts chum 1, and reedes \hs. "tU' eon: mioicaUe.:i ps.w^s euiip c to . 
dedicated dn : \ ! o eePimLm^aie v\jth die couUol centei o\ei a h«'<iouui ivswon. ' f;jp feanin: k- 
ooi dov;ibcd b> ^ jxatkai {'be •-■xarimi.-r eontend,.. that " \s per claim J Njo eol ,\ hoes ;' 
dis^s^nt; die comn^miuiUiMi process couples to a dedicated link to eommiTneate v-ids the 
eeneoj eenVr-^e; a haaLoed mlvu»rk." " 

' be evarir.e' robes op the Seaehme m Ya\atlai thai the sworn launch^ ui .;u m ond 
has 1 rk a^eoi nvnirnvk idenfUs uhioh of die biiks t n the tu>de on which the aeons operate 
accepts a ispc o; c.a- * uiJfk' traverse the t.ionnfiod link to f i t c node aauw she Jink, ard 
cpo.sl In. rioccas ik"Ac\vi Uui fc not ft},jt Aprohan! ehntr-s. ;jinot u*i ^:ms "Lit Use. 

there is 1 a ccw\ i'od >!,.. to cornmu";ca:e v\dh the (.onuoi ecnier o\e" a hardened p.etuod ' 
\enSiei the iiv.cni nor the nodes aie dedicated links and n-oreos c; u apoe irs ru ;k e^cm L s ar. 
sndaenmralc ee.-eanjtso i. jr. ^onuasi to tiu ountivi arte fhac -s no moU^n ni Yes aika: dut 
'lv :\i:\\\--fk me e^ntraimfLUion pu^es*. u.st^ to communicate suth m«. e<.r.;ol ^oatei ^ i a 
ceiled. ifaido'KV -u'U-.vh. R.ahor u appc<u- k> bo die ^mo nciAt'ik ;b.tt ts nuMi!U>aj h\ the 

-\e<.^u;u\e\. vinv ^ .oad.ar i a ds to dosenbc ai: vi rhe. ?c;d'iros oi vdjrn'i „ .inar^eo. as ni 
tiie o.aun, \ a%;.:l:ar oaan-t u-tjejp<i}e da-ni .7 

i .') ibe ;>ur.5.!>^s of th:s .-.rpoai oi ? !\. ,.;.iinv- a ui 31 -land o- ;o-ao*ftcs 1 'kuni - 
is rqTusf.tit.iine • ; dus '^oup <>i olasnis 

<"a;>i; *> ;i usher birn^ ckum icquinn^ that iho L'atewa^ i-= .ioap^blo U> csnaMjn 
ipstail she f lions o:i uviuhy rjiHor Hv cxaniric-r ar^-se^ that \s pet inr See ;4 . !P os 

::S and eoi ! r Ir.-c- ^> disLtj^mj. die ijaiev.a> .t.kipiaMo to d* friniioah;. nt.oaK inters 
on ncarDV routcfs.' 

id. 
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Yavatkar discloses: "A watchdog agent may perform attack monitoring using filters 8 
software modules designed to detect a certain type or pattern of traffic. Fillers may be 
dynamically added to a watchdog agent or to a system on which a watchdog agent operates 
according to a type of attack which .may occur.'*" Appellant contends that Yavatkar's discussu 
that filtering can be added to the watchdog agent doe* not meet the claimed element thai »Jk 
gateway -s adaptable to dynamically install filters on nearby router.s. Yavatkar does not UiswW 
that the gateway installs filters on routers. Rather. Yavatkar teaches away from this featcte H . 

hi a ociivork having multiple s>ateva>s to o-hor networks, if the particular 
gateway allowing attack traffic onto the ndwork can he itietitifkii. she attack tan he 
halted. Kstlser (he {-ale-way can be shut down or the appropriate Riser eats tie 
irsitalk-d <>n She vali-wav. However, wia» cttrrea! methods to iiiermfv the :>aiew;;y 
>vi)!fh », in effect rite sotsree of attack iraf'fie to the net work can be diffkait ami 
tit«:.- WRsumin<>. A network administrator using » sniffer may determine which 
physical link (of multiple licks.) on a device reeetcins; attack traffic h th* source of 
soeti tr.iffk. Certaia modules resident oa ntidw may perform similar famtions 
under tht; direction «f a central console. With surfs information. * network 
sdrninisiraiar may move fr«m node to node, tracing She path of the hostile mt-ssagc, 
hots; tht- victim to the itmrec. or to the gateway allowing .such traffic to enter the 
n*tv*«rk. Such a method <>f determining th« source of niessiiges is slow. v; 



gaiewav nearov router?;. 

( i^.o^ " n ^ hid ^ 
oj « ?r;\M ! n appe < \^ Jains' S o J! 1 * % ^ "t I u < ^ tanj J 
tc<>t,1u t 1 >i < s'^i'vV "i 'oo'l ii <'ioJp otv'arn- 

C hn.M Lit, ei r^r's v .i.'i. i hs lev i iii. T twv.ii'.ti k pi,. v.s,U(. f c - t >i _ 
and k*Vn. u> , ^ - . f nu j v > »„ro,nti, oi IP .i.ijn.tr* 5 u>u o; 1 << \it sL\ IP ,\ 

oui,.,\!i k ! ^lAiit eU^*.,s ' S ,< es i'fnnei ,Jit.: o i ^ol 1 > ik> - > no .<n l*> 
>0 o! % «avat tot t us featu'. C !.« it Meotos !u„i»'inn.ir v 4,vuss,vtu'- i* „, u 
I'uUx ,"'!<• J,. r jl,^ iih't,^ v» \ oj I, ar .uh- -»<m funs si '^w^'h ^tot* ^* 
IXn . n l\o <! ,V,p<JvU<- o\ asol t <f t ■> v, .t. M,iaiM ^ .ui.^i^Umio' t«»n „ 



\ppis.ni \bvsi ;ti> ,u ,> \rtoto }>■> et^et <>. \<£,mv\ \ { <o L V r^'-awu 
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window sizes, svhich may indicate a load on the data center, or TCP ACK packets not bekw.irii 

Claim 6 will be used to argue why Yavatkar feds to disclose the features of these claim a 
Yavatkar discloses at col. 13, lines 4-29 the basic TCP connection protocol and how a process 
detects IP traffic and determines levels of unusual amounts of IP fragmentation or fragmented I 
packets with bad or overlapping fragment offsets;' A SYN-ACK attack can take advantage of 
that protocol. However, neither in thai passage nor elsewhere does Yavatkar describe that nite 
monitoring process detects IP traffic and determines levels of unusual amount* of I? 
fragmentation or fragmented IP packets with bad or overlapping fragment offsets" Moreover, £ 
col. 15, lines 30-33; of Yavatkar is disclosed that the watchdog agent monitors of other types of 
attacks by moniionng for trail) c characteristics of such attacks. However, this Joes not describe 
'The monitoring process detects IP traffic and determines levels of unusual amounts oi IP 
fragmentation or fragmented IP packets with bad or overlapping fragment offsets;', as required 
by claim b. 

Similarly, Yavatkar fails to disclose at the cited passages or elsewhere that "the 
monitoring process delects internet Protocol (IP) traffic and determines levels ofTransniission 
Control Protocol (TCP) or User Datagram Protocol (UDPs packets to unused ports;' as in claim 
8 or that 'The monitoring process detects IP traffic and determines levels of TCP segments 
advertising unusually small window sizes, svhich -nay indicate a load on the data center, or TCP 
ACK packets not belonging to a known connection;' as m elaim 0. Mere disclosure of he TCP 
connection protocol docs not describe heuristics that are used to determine types of attacks. 

Claims J. 22. 3.i 

K I e H ,v c> oj ths *vx\i! od\ claims 7, 22, and 3? stand or tail together. Claim 7 
" ^nesen /a e o> h •> i n u> cb r<s 

* »; u*'k. hrit-tY K> n I V x \ mgUa t\ no . io-jt „ \ c ^ 

k\ k P k .o* (ll > 'k, 1 !\ „ id Jetatnres ! v.\e ^ ;ifo,«.\^fa Ls^Wnoisl 
kdre^c s\ miuiuK <<n \k^ v cPi >to. oh ICV^i »a.ket> Mt> *>K\idv.<M c.-frat ou 
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this .feature. 

S a\ .uk.ii ti ; {ho >.Uod pa^jLlO'. dlv_!.is\OS d spu(>(a v ' aUaO\. V. h^l^ iiiJ sOSKVr V:vK Lf>,:.' oj 

taMo ton in- adjroso. -u.fi Hint ru<. sou<\,o oj the attack cannot ho .do\Pfk\i *u>:o :hc totted 
packer ,\- c \iK-. hcio 'l .i\,»kai met ok Jiscihscs site mechanist ot such at. attack rot an\ 
to.kaqu tolhwatt t; \o>-vrMe^\ elann S ^pcuftcaRs 'wte^ t<> doto^ue k\ ols -u )Pp.;tko- 
that rave had >autco atkLcs.^v »r internet Control Menage iVh- -col {K MP) p a.U-is w u 5 
.^.vd^'tM .k <m vk>u tddre.ssc v a\ atk it whether at t\ 1 k\ lines 44-^ ane - o' -\ hnes k> 2 
ot ci <ewhete Joon not d'.toiiinsic i^el^ id these J\jx^ o: pa-d.ek .tnd '.bcKWie does not .-.asiyev. 
this feature. 

CLuns Id. r. ; d V 

dot Uv -uqx>;e.s ;ht> « ppc. I i-nk . claims K). — \ and >6 s; cad o- ddi -".^tUt r - 

{ Uko i.nak ok ' d aao -^-ates that n:< mitotan: oo^pn-e-, deroeP.m; m Earned tav 
if«!Lu t'lai. Haa-m o tos a huru^ ikvtnet a perMsieu Hi TP correction Uv ovajnau.! 
contend* ihr i ^ uk r tc.ehos Uti., katUK at e«] k inu,s J - M. wh:eh is iertoOaeed hdiw\ 

Que UR-iht-ii t<i! .<!!«« ta.> netw.uk »<.a t -s to temmu ;ikmr> is tSu I CP iP 
t=<i*5s 5 ,<H! pj.n.ieok M( ( -i«k-s osi dfifoiom «0(j« itw> -isc H P fP . p'.otoiwf U, 

tO«I.J!U(llC.!tC MitJ! t.»-J) (.jflO! MJ .1 »*■!>■> l>tk. t <i«(fc C»r)fKVU-<! !.) & Bft>M<J k 

is Jin, 5 f P IP ft .iv ni, idU'nuf fi»«t«eoi ("IP"} jifiln-ss. « !>[(.(! L«HiM\f, «f tout 
Bi!«:bi-rv Mill stj i!f,itui .1 pt-!fid, Fhc iP .nidit-s-, !>e <(s<.a <o ti.unc 'hv n>nk- 
^<M-so fsoik"- iia>t.- n.oro shjn nut iP <<tl(ho->. 

\^ ^ a.! ^..irhs d'oXL-isoc aboxt, Iictc aijam l)ic cx an at", la.!-- to ^^o\^ ^ nott. 
Va\ itkat X'-toat-. iho ^kmsv N J feaiure -tral mstead rclic> i-n V ( i\<a'k.tj \ e^ui^s-or. t* s tne !( P IP 
tiap-jv*- pi«M»v-- kvVvo^oi, Motn!v.:i m Ijis passap. sr. 1st; te*i;ata<.ici u' ) a\atk't: dr<k> ts io 
• lot oc t rats.', of -o oao\ bio'v-r than p-^^bSo tot a human 

Claim 1 1 



In *.iaim H) the w a i s in ; i t « J t { r Vpj, i i t (t . hi 
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v s] \ « " * 

P . s t > v 

Oia?ot 1 L w hid; iVoues *i; (l t lie ' uiotij'o.mg pioevoc* njj.mains- >kuks-u a; *\\n*:n<u\ 
itv.oirutiuu oi n.dfse o\ i r rule- cm peuocis of nine J *tf outerem ie\ v.b o[ deia!:." is reMbor 
vksui^ee ih j M. c avMe.. b;. \ asaik.e- 1 he e\an;iner *e!:e.s on ..o! lines r>3-;^ ioj tins teaturt. 
is. th d p.iss^f-t N . \ atk.r -curses 

'!!»ii'lvi(n<: !5t.iv(i! k tr.iitic At^L vihvn .i parttinUt mmork cotuliiS'in <!or t \,s<si|>k-, 
.5 nt'tiM-ik .iitdcki ^ floticKd <;.ithctij)^ mior malum sii> t «it the t> jfilv oh U»e 

k |jiimci-(nt, MI) ;l«v'tli .:inf Sl<i\}fii> ihs. J^ftll !ti_! JtlM-k nktU<f\ nilfvil oi 
S-i5S>>- .>a thv snxk> on Minis ffu <i<;ern op<. t «fss. .tvwpt^ d i\(K> <k ciaw t >f nsfiii, 
*<h\o*m" tht -fici.fivd :>«k mthv nm1*> ,»cros\ tin Sink. .m« repeat < he |>tvu's\ 

Claim ; • . aJitout;h b-o.^lh ^..^bcl k rot me; in -h-s p .s-a^.e t>^ .ro. UMehing n- 
Y<.\aika- { i.'.::n C s.aii> k-i ''moniV-^us' pro^os^ ni:iniUi?is stau>-Mio t tLsi:ir.ri!ii> infotir.aiio*- of 
if.;. 1 !:!., mo; dmeteaS po'-ii-os of time ( vid at different ie< eb oi dei.;d " xwit. d-e.-, i , ! o ai Lai 
teach to n^rutart. -^n^rjea- mionnaiion or a Miminan o: the u.fonnation o\ei dibeam penods 
of us io ano vJiiku-.ii lewis <u dei-u! Indeed, to ihe cueist iii.it tin - dtsea^or si; i a\aikT at 
all rekwm to i v eiaou, \ a\ a'Lsr appeai * to onK uiiiher iritbrnivVvicut 'hou t-iv. Suiiho Ken a 
[u-iieioaj nefuoik eoiid-t;or JeietteJ ,- >'a\ aik«r does iiot aionito; tbskteii: ptr'oJo o?" 
t:i:ie ar.ti ■lin-./ieni ie^ok> Oct.u; ui« dv>t:s N ( j\ 4 ukar icttd :o : £i.iHUvi:n .-viat^J-va! sur.inuu> 
ii.K-^iuii.on i>\v.r ::i ■sse pen. J- diij le\v.-!s oi iletaH. 

Clamis i .o:> ano 3 / 

hs the :n.r'.a>os ofths appeal onh. eiantj.-v i \ ?."> ,jud st.m.i oi fal' to-ei:.ei ( :..e;'n 
1 J i-i roprosenta.t;^ e o A ',hjs c -u>i.p of v\iiins 

Claim se - s uk± s.-uic of she p.iuur.eict * rbi v.auh staM*'ioa! TsiOTnanen ^ pu-\ idea 
b\ the monitor;;! pjoees-- ( 'Unit S ?, rctitt"* "^tati-liv-s or. pa;aniotv.i\ ineU.tuu/ -.on.re<' v.i-i 
.ie-tu^ H\>i, Jio^r >^~!is.-H\..i\ aJviics^os. piotoeois. npes of p,n.kcis. nunibvi Oi 'pesi oonncouou.- 
or o^paekeis s-.-i^; 3 % o.tnes tlneehot " > av.iik.ir Jtn.s not dei>eube 'ijair.i.otir.u. 1 s-.a^sMe-J 
nifo^j! ( Uj..ji ■ix-so a;x\jfiv pajan^ieis. \shetfies at eol ?. Lne> 4-s -, : ooi 3, i:pes .it;- o- 

iadOv-J, ;lv exantiner copll.ae- iv.o uivekue.? v.oneepts ;io-i Y.t\..iikaf CVe '.he 
Ossv as^j.ip t>r.» mo:\-\ \\ ;i:oter ss a de^ite whteh nt t_\ recofvi neiuork suirnes j\ t s r-odc ' ul 
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are" istOvd oi 'n. ^itsoj ,r>or'u>) Jos< lot .iotjus <ir the aftaek n.MV y ioo -o.rv.e of it 
iti^ck ' j.1 .t e 1, on i<- .n k v tia f ; J to bo yabeie.: ! iom>i e of 'K uJ. ;ia tf \!v\ v 
i c ou^ it a o>- i io ar^ck ~uMfie ot \u . \ mtpjt ,t t>. u\ ai o\. \<j . J t\o to o i*u 
Mo<>>..od . i oiio ( ho ><KtKc ni <it. j J u h Jcro'u^t ^uh i./. 1 '! ,.j"'itrc! 

'mo, -v.la. . v vA Ia j.iiu t »m< ate tnc output! ior'U ;i 5 iiu^o^O' \ ,n , * 
i. o, * i to, " , - 1 A'o oot V \> nu'nl o i -tat > M <_ .! oi.oioi,,* o.i b„ . <)-t- \ ^- to 
r„ep<il^<> , a vk v a ,s oo J '<> tn J ord ndkh W , t _ro> <jjse us ->u i \ is ^ i'Li 

f JoOu ^ .'wiK.lt ^ v It OP' 1 1 t CM '"lJ u"... ol i- u " 

oii.l; t m.o'ij appc or\ J. irs^r" it >^st>j\ i f.k ooo Ko < . r 

. ^K Ij'OT n I \ g > v up O Jili.^ 

C <!.05 1 ..X'Vs 'i J f t o IkOfOiii p'Ov-t S MmOI!," Hi a A {it. - I ',u> <!Pl is UN.) 

.w u .■• o K i ooe I .KM: v.. Kjroi i o.ouUtK > (.>uo,r<)'K5o);> h < . i<^< ! "c 

<V,-h,tO OJ.o<n>oi \* 'Jits i4-^' d' <Kol i ^ 'HKSV* ,i!Mn|0.* < . oo-OK' jK^i 

i-t 1 t. 4 - ^ - N k«u »i>a' sos J-a' *!u ^ akfj.,<>» u em ^ m uitft . \ oV 1 .e sIojo'K 

v'.j't il<»od>e> o.l u'o i*- and u>i i> 't.ics 2o ~' .vho'o 't ,i\ i kaj J- -o-c ^ 10 c t to o <«VtJ.\., 

p' an ' iKi 1 ^ Htt'i .oi.naje .o ji,ol!m< he tj roe ^ v- i niisuU. j o«. c > 1!M uK^.i<n 
pj<\ ^uS liii^ou oooo i <.so oVu s.s.on^ oi.s^itbcs .t'li'i'Udr'ol'it^t o i „ f h 



"" Sysieum tixist for collecting infi>iT»atio«.about nehvoti traffic. For example., to determine the node which h the 

MIM\ i iv I d K > i K^itl-O. il'^U A i ; < . J> T Hk ^ x tvt.M k 1 It NX'i.t.lV 'I, \ t. \ M n'llu 

a source) and the path or paths taken by such traffic, a hutnan operator may access each link at a node receiving such 
ikithe .ma a\ih %• t>~c sj^oriuif t ati'n um'«c o m mIcj \ stnifer is .5 dc.c whidi n\t\ ts.«.of.i nc^osk sUfsssu. .it 
node. Ois operator may identi fy which of the physical links attached to the node js receiving s certain type or 
amount of traffic md then move to the node on the. other end of the identified imk. The path or paths of traffic Worn 
the source of the traffic may be found by traversing «he network from node to node, using the sinffe at each node in 
a path, unuf the source is reached. Such a diagnose b slow and inaccurate. A similar analysis may be performed 
from a central console which may query remote nodes for information about the source of incoming traffic. Such s 
diagnosis js also slow and inaccurate, as it requires commands to nodes and responses from nodes to be transmitted 
across the network. The speed at which attacks occur and ihc speed at which such problems most be fsxed makes 
suchdik'iit^n mciho-J.. neilecUM' A p.nhuketih> naffic tn.!> be •.tt.s.c-ibed \s she eq-.upi s^sj ua\<.tsedhv t{«;T<. as 
the traffic crosses a network or networks (e.g.. a aeries of. nodes and links, or a series of sub-networks). Yavatksr 
CoL I . line 65 to col. 2, fine 23. 
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>;ak^ .0 is-n;e.-> w armng ubeti uut of 4e niL-avaivd p.iMincta^ ^ ^cwb the eerre^poruLne. 

threshold. 

Claim 39 

t. r ; >^\vum sres v > hjL JivvruLM iho 1 i st^ u/km .o.\-< 
to < cC!\ <. ruu\ .) v + $on* ^oli i <_orki< , vculu V ovb- ^ Hit x> 1 r 1 s v ^ j . - <y t T H"t 
p .^V t,uoi v J e *,vUew \ 



Conclusion 

A;vv S - tberetoie Lit Olein.s ' Wdioi t 1 "trvue i ^ e tL ,<t 

.ii <>»• jb *U vMo<i jit 11 1 re'Ote tlx Lk.iu .k. u'ul , i ukm i ^ VrpJ.ari \ ^\ 

shou J housed 
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Appendix of Claims 

I . A gateway device disposal between a data tenter and a network for thwarting 
denial of service attacks on the data center, the gateway device comprises: 
a computing device comprising: 

a monitoring process that monitors network traffic through the gateway; 

a a>rn.mumcation process that communicates statistics collected in the gateway fhwn the 
monitoring process with a control center and that receives queries or instructions from the 
control center; and 

a filtering process to insert filters on network devices to filter out packets that the 
gateway deems to be part of an attack. 

** he j re>\a<> * 1 el -nr I v idem tl i - or nu..ivat\v vOs.pL^ to . 

Jt-e-vate.i irv \ <. j tr.an^ \ ^ t- ihe loouo! t en.c o\a ,n ,dc< <J i u<\et! 

" ) , gakv,,o 01 darn therein Jie tro u uu» p.o.os> pIl^.v^ 

network packet How in the network, 

4. The gateway of claim I v\he:em the -utewav i» aJapubx So be phx stalls 

deployed in line in the network. 

5. The gateway of -claim 1 where n tlx y< ien a\ h >d *v t HK to d\ \tmi alb .n-ta) 

the filters on nearby routers. 

I e eau a - \ o\Un . >> Uu\r. <hc no , tonne, p-ou. de^u- 1 1 'teKie . id 
Jets. <j\res!e\ w ,o t .jnjvI .<n> ^nt\ <U IP tK^troriaiier m hagiver>al 'i' pac.\U< v\->f, ^ j ot 
o\ul.ipp ha;menr oibeK 
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Ine < <uow\ o, ^ur 1 vMit-u n {Ik -not .Uyiugpi wv- uk\'< i \',yi p< t >a>! 
ti'M^ifk a.>v-n-iijc le%<_ >. ot II 1 pkI' t\ thai ) >d -on;" ^o~ 0 ^ , <\ IiHcjkU ( > i\t ^ 



s s_ p.k'Mi \ ( inn ! \*. ieiur v imnPot v-> noee>N pclc- h *w Pjohm>! ( I ; J i 

(UDP) packets to unused ports. 

" ' K' of OiaUU ; uhcrc 1 ;! mOP.'U-riJJi pUV 0s; % JcUMs IP tU^lC Ltikl 

determines e^ei,.- of !( P ^'<>mcnts ad\ causing .must sal K ijuali ^ mdov, s; -c ?- Inch nu \ 
indicate a L>ad i-u the JaU <.vuu o: 1 CP U"k paclets "nH belonging 5o .i ku>\s n ■.o-na-eLvk 

[ V t -jlo\x<n ■ claim 1 whoietn njonjtonpg process n'cLets su^anid mic milker 
*fsan piuu^bie Vi a bumus nsei ose; a p, riMcWnl 11 TIP cvuieclinp 

I i H-l g,i!cv\;o. of claws ■ wherem nifspiL^nL- process ru nuns suM^t jc-i- Mm-mary 
:i)Kfnijauon \\Ji'.K-<^ ei Jiitcteni pervds of hme and a; J-fVaviii kvcL ui dentil 

:2 I no i\:iev, n> ,-fci.i'n- 1 1 u hc;vm mou to; mg process mamUn^ ^tfslics on 
pjmmUefs mc.admg somv.e apt; dermal i<m host or noswod. .td>Pes*vs, protoeoK t^pes o- 
packets, nupihe: c-fopiM conned .'j-s-ir^l packet ; M.ut ii; a'-hci dex-ason 

I - FK -^ilcwdx o; \..ham 12 \^ heron monitoring ptoeess has eom'.gnmnk u-ediok.s 
and iWAo a \\ inmig v>hen v>.k- of i: iC uj^ast \cd p-iTusneior- <.^<..oe-^ tin cv^o^vpiMp^ Miu^hold. 

.14. I he gateway of claim i 3 wherein monitoring process logs packets. 



Vru5M<. s^ > t 

!aac ^ ^> 

I \ he vdlcw a\ oi chun 14 v\ Uuvir. monn^nng r^"~^- '-oil* <\\x:l)c packet- 
:<.k»piif:oc. j\.n of vi a'Kn.k V ciubfe an udimnisUaiu- t<> ukpuh impon-in* o;o;\'i"!i* of ltk- 

mack. 

i ;> \ jjjUwv >>; prwkvhnt: a \;ctin ^jv dirn v a der,:ai of ser^c -mack, v.V'»p:i-'w 
doposun; a :'„itov,;j\ Jc\'iC between the: \U't;)r> site and a nen^ik. 
.nonuonv sietwoix iniia thu.i.;J; the L\itevw> and mcjoUMt^ iu.fitstuv >.f the nUwo-K 
tr Sf:-,. \> pv> ;oe "toik'i netwotk cdTk . 

i oiome ■sv.\r,nv- the .AU^tiCo ; oliu ted ir the iute'\as v a control ee:;!e? and 
r"iier ! a;< >■-■* }\u \0? ; tha* iho ev.iow a\ or conirol eemci deems to be pan oi anack 

i 'io ^ct[.<fd of elairi lo u herein v.Oinmanfeai;ng ^eiits o\ or eeetcated j-A to 
the oojvjo* ^.enM v.a i baidened network 

18 IU nu-ihod ol e. i-ir 1 1- wherein m-mtonnt: sjoiple.- rxt^ o-k jacket ilo>\ in the 

network, 

t l > I no uwv.i<\\ of eiarm 3t> vdsaejn tV -atewa} h phs^ioa:S> ucoie\ui n lux *u the 
network. 

M r^e '-leihod -o! eLtiiii U- vdieiean fjiierm^ fuithor ■.oinpnsv 1 
owko^vJ > riAi'ilUnj.; fibe-.., on neath> touted \ui an nut of Ktn.l eon.n.v'u>n. 

^1 i'Jk "hahod oi >d,ji:n io u herein m^nitunnj: further eonipiisv.^ 
dLiei.ur.it iP tialile aiki detesnmnup ie\v/k of nn visual amounts of II* isajvmailano.i or 
rhi^ucnJed IP paekois wi'h bad . r o\ i'dappr.i" frainnem offset* 



.■■jeUtt'd v- eiuini ii- s<-:iv.rein montonitii Mathei eon^iTf^CA 
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deluding internet Protocol (IP) traffic and determining levels of IF packets thai have bad 
source addresses or Internet Control Message Protocol (ICMP) packets with broadcast 
destination addresses . 

23. t he method of claim 16 wherein monitoring further comprises: 
detecting Internet Protocol (IP) traffic and determining levels of Transport Control 
Protocol (TCP) or User Datagram Protocol UDP packets to unused ports. 

24 llsc mahod < I uann 10 v, herein monitor, tti.' Urther eompnst^ 

deteun:.. IP !nuf.-_ aid determines lexeh 1 of I CP segment ad\ crn^ng \nnsiijlK ^rail 

* u-o'o\\ sj/ev v i: C-i ma\ .ndKaie a ioae on the data cense-, o r I < P ACk packo not kJougnit; 

l>. a ku"\\;j c>^kxh<-n 

f V le S ed >' cL.T 1 If WAcieir m ( >UftO"ng ,rr he ^o*rp r ^e\ 
dene Ai s» > Nj^aii 4.0 \\'c '! .do'J 'Lq.iLst^ th ^ In mj iCi diet p u^b e v' * „n as esc' 

0\»i > PC Msk P! ! i I P.OIltKAhol 

"o ' hi a.ioti ot ...i U- ^he r e\j nor k,i n_ t. it.!., l« np -e- 

'ooo 4 tl ; v on waPiv-'as JK lid n» \on>< o Jid dv s' r 00 . hvM >M O' 1 
n < v-^^v. >v,-t( >u . h'vsul p.ckeL njmhei ot open v. o mentions, it . 1 o.xke?^ -e 

2~ : . The method of claim 1 6 wherein monitoring further comprises: 
issuing a warning to the control center when one of the measured parameters exceeds a 
corresponding configurable threshold. 

28. The method of claim 16 wherein monitoring further comprises: 
'oge'm; spts-ifi. paeio.h ak-ntitied as pan of an attack to enable an administrator to 
ideru!\ unp ^ r. p:i.:v:t:v^ of me attack 
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. 0 \ computer ptoctam pm.Juot Raiding on a computer readahk n^Vnnr i^s 
PioteUmg <j v ,cUm -mc dimag dcr-ud ol .sen ice a^Uuk, <..ompt>v# mstruu cuuvul c 

eojnputu do kc wupkd at vi cn'rs :o the \ite to 

i'j-,,kik>r ne*\\oik traffic -^ent the \<curn Mle and mcv-suie hear ^5cs oi du- net^esk 
{; ut:<, ix p<x>\u t .-tannics <*\ \bc i;ciaoik luilk, 

0<>JK'l;Vi\ .it'. M.ifKt^s CokcCtcd :M the Computet dCS;Ce a Ll'UtiOi CCilA" ,mC 

Ubct oaevet that die dc\ see oi loutr*' center di-cms :■ bo past o; s:i aiiack 

V) " i? t > o- mipu:>r protnam product ol clan.) 2 lJ nhcRVi uWiia U> -ns to monuo; 
further comprise instructions to: 

sample network traffic .flow. 

3 1 - The computer program product of claim 29 wherein instructions to filter Further 
comprise instructions to; 

dynamically install filters on nearby routers via an out of band connection, 

32. The computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 

detect IP UiUik; and 

determine levels of unusual amounts of IP fragmentation \>- fracmenied IP packed vifh 
bad or overlapping fragment offsets. 

33. The computer program produe: ot c«a.m 2'' s\ iiccji 1 ».>t:uet}o* > to kk icto: 

further comprise instructions to: 

detect Internet Protocol {IP) traffic: and 

determine levels of IP packets that have had sotcce idjKvLs ot imci-nr Couuol 
Message Protocol (SCMP } packets with broadest dcstinaoou adtfiesse* 
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3-1 . The computer program product of claim 2'-> wherein instructions to trtonUor 
fyrt her comprise instructions to; 

detect internet Protocol (IP) traffic; and 

determine levels of Transport Control Protocol (TCP) or User Datagram. Protocol UDI 
packets to unused ports. 

5 ^ 1 . n\ Mi '! p50»l,"r liodtk-t O 4 v. J.PJ ? ' \\\,< K'iP t!-t k 4 !Oa- .O 5)1 UV* 

1 r<U. v<* i.^'ivs^L-ro^ on. <o 

aetcci IP trartie; and 

u <cn i* i mKo Jf P ■>ecn> > t* t \K (.r.ti.i s ' u iusu ->ial >m it ^ s /c-> s\ w i> r 

.i >b< .\c a o. ». m i \v u, 4 . > or.e j t P U k t\kke^ 'k * he! ^ .O i >v ! uVI t. so 

> -*t (< i pro- unr vodikt o 4 >. .\n ,? 1 hLlu tr io.i- o h ^mUv 

I ' T U' v<MCVi^Cv S^f OwOtl- to 

oJwV >nj . rxdviU. » .oo vcut t.m.H s /sudscr ♦hart p' ->.^< to; ,\nnar Net 
ovof a periston! U \ 1 ..otmectn>n 

3 7 PK computer progr.rr. nnukej of cl-nm 'a \-.<'\c\r m -i. ur-ou - io menPos 
Lrrthu" c<f:npjK>c^ uk-imc-ion- to 

ioi' skUitlios on paranoica nu.bidtnc, .->ourc c and deM.n t*tor! bo^r oi ne 4 v,<»'k .sd.he^e 
pioiocoj.s. tspes -d'p^civ uumhu of open >.oinjeun-ns >n ^ packeu ayi' ui -.■■■'Mcr dueu>e; 

3S i 1 i .vmpiUi : progum- pu'dnet of claim 2'-* w\\u jip msn uc*r>;s > io nsi-nnVt 
rnr.bet ^omnn-c- m^nscMon^ to 

tsouc a v iVAtu-j. to Hie out-id eenv-i wlun one o* the mea>uu\i p.ir.invtc'.-* ewi eos .i 
corresponding configurable threshold. 



39. Tbt computer pj octant o; .-barn H} firmer cnn.pi h-a-ic, m j.cu«.vn ic >_ci,s<. Pie 
processor to receive communkmou.- h<<m a „onuol eunei to de.^et data perLnmp;; v ! *k> h^o\ 
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of traffic passing through the gateway. 
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